| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Mon, Mar 07th, 2011 @ 01:25 ( . ) |
I've been curious about the 2nd level protection checks on early V-Max games like Defender of the Crown. This is the one that's triggered when you go raiding or jousting. The game loads data from track 11 which signals a load to the protection code on track 18. It then iterates over tracks 12-18 checking each for a number of things: 1. Finds the 10 byte sector 0 GCR header and checks the next four bytes after it. 2. Verifies that the header ends in GCR byte $AF before the next sync mark. 3. Verifies that the header length is 17 bytes (not including the $AF byte). 4. Verifies that the first data byte after the sync mark in the data block is GCR $55. This check fails for me in Vice even though the byte in the file is correct. Changing the last sync byte to a $55 so that there's 2 $55 bytes in a row causes it to pass though. Maybe a timing error? 5. This last one I'm not entirely sure about. It seems to count the bytes in the header block again, using a different method. It reads 8 header blocks, totals the byte reads, divides by 8, and stores it in a table. It repeats it again for the same track, does some math with it against the previous value, and stores it back in the table. You wind up with a table of 7 values (tracks 12-18). These values are then checked. Track 18's value must differ from all of the others, and some others must be the same, some different. On my copy in Vice, tracks 12-17 are all the same, and 18 is different. So this check fails. Maybe someone can look at this code and figure out what its purpose is? Is there supposed to be bad GCR in here that causes the drive to read back a different number of bytes each time? Maybe something emulators don't yet support? I've attached the commented disassembly since it doesn't seem to display properly in the forum. The section of interest for #5 is $0239-$024a (calls the check) and $076a-$07a9 (the check itself). I'm not well versed on 1541 internals, so I may have misinterpreted some of of the instructions, leading to my confusion. Also, in-memory patching of the $55 byte problem and the byte counter allows the protection to pass, but then it goes back to track 12, loads for a few seconds, then crashes. So the investigation isn't yet finished. |
Attachments: |
| 1299479100_dotc-vmax.txt |
3/07/2011 @ 19:52--Lord Crass 3/08/2011 @ 02:19------Lord Crass 3/29/2011 @ 23:55--Lord Crass 3/31/2011 @ 01:04--------Lord Crass 3/31/2011 @ 22:25------------Lord Crass 4/01/2011 @ 12:01----------------Lord Crass 4/01/2011 @ 18:02--------------------hyper active 4/02/2011 @ 01:55------------------------hyper active 4/02/2011 @ 05:42----------------------------hyper active 4/03/2011 @ 23:51------hyper active 4/04/2011 @ 04:33----------Lord Crass 4/04/2011 @ 06:22--------------Lord Crass 4/04/2011 @ 19:26------------------Lord Crass 4/06/2011 @ 03:36----------------------hyper active 4/06/2011 @ 17:46--------------------------hyper active 4/06/2011 @ 20:41------------------------------hyper active 4/17/2011 @ 11:55----------------------------------Pete Rittwage 4/24/2011 @ 07:54--------------------------------------Fungus 4/27/2011 @ 22:51------------------------------------------Fungus 4/28/2011 @ 02:41----------------------------------------------Lord Crass 4/28/2011 @ 10:36--------------------------------------------------Fungus 5/12/2011 @ 23:46------------------------------------------------------Fungus 1/17/2013 @ 01:40----------------------------------------------------------hyper active --- 0 Users Online --- 0 Recent Unique Posters |